<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta content="Cask Data, Inc." name="author" />
<meta content="Copyright © 2014-2016 Cask Data, Inc." name="copyright" />


    <meta name="git_release" content="6.1.1">
    <meta name="git_hash" content="05fbac36f9f7aadeb44f5728cea35136dbc243e5">
    <meta name="git_timestamp" content="2020-02-09 08:22:47 +0800">
    <title>Client Authentication</title>

    <link rel="stylesheet" href="../_static/cdap-bootstrap.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <link rel="stylesheet" href="../_static/bootstrap-3.3.6/css/bootstrap.min.css" type="text/css" />
    <link rel="stylesheet" href="../_static/bootstrap-3.3.6/css/bootstrap-theme.min.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/bootstrap-sphinx.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/cdap-dynamicscrollspy-4.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/jquery.mCustomScrollbar.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/cdap-jquery.mCustomScrollbar.css" type="text/css" />
    <link rel="stylesheet" href="../_static/css/abixTreeList-2.css" type="text/css" />
    <link rel="stylesheet" href="../_static/cdap-bootstrap.css" type="text/css" />

    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '',
        VERSION:     '6.1.1',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  false
      };
    </script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>

    <link rel="shortcut icon" href="../_static/favicon.ico"/>
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="top" title="Cask Data Application Platform 6.1.1 Documentation" href="../index.html" />
    <link rel="up" title="Security" href="index.html" />
    <link rel="next" title="CDAP Authentication Client for Java" href="cdap-authentication-clients-java.html" />
    <link rel="prev" title="Security" href="index.html" />
    <!-- block extrahead -->
    <meta charset='utf-8'>
    <meta http-equiv='X-UA-Compatible' content='IE=edge,chrome=1'>
    <meta name='viewport' content='width=device-width, initial-scale=1.0, maximum-scale=1'>
    <meta name="apple-mobile-web-app-capable" content="yes">
    <!-- block extrahead end -->

</head>
<body role="document">

<!-- block navbar -->
<div id="navbar" class="navbar navbar-inverse navbar-default navbar-fixed-top">
    <div class="container-fluid">
      <div class="row">
        <div class="navbar-header">
          <!-- .btn-navbar is used as the toggle for collapsed navbar content -->
          <a class="navbar-brand" href="../table-of-contents/../../index.html">
            <span><img alt="CDAP logo" src="../_static/cdap_logo.svg"/></span>
          </a>

          <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".nav-collapse">
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </button>

          <div class="pull-right">
            <div class="dropdown version-dropdown">
              <a href="#" class="dropdown-toggle" data-toggle="dropdown"
                role="button" aria-haspopup="true" aria-expanded="false">
                v 6.1.1 <span class="caret"></span>
              </a>
              <ul class="dropdown-menu">
                <li><a href="//docs.cdap.io/cdap/5.1.2/en/index.html">v 5.1.2</a></li>
                <li><a href="//docs.cdap.io/cdap/4.3.4/en/index.html">v 4.3.4</a></li>
              </ul>
            </div>
          </div>
          <form class="navbar-form navbar-right navbar-search" action="../search.html" method="get">
            <div class="form-group">
              <div class="navbar-search-image material-icons"></div>
              <input type="text" name="q" class="form-control" placeholder="  Search" />
            </div>
            <input type="hidden" name="check_keywords" value="yes" />
            <input type="hidden" name="area" value="default" />
          </form>

          <div class="collapse navbar-collapse nav-collapse navbar-right navbar-navigation">
            <ul class="nav navbar-nav"><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link " href="../table-of-contents/../../index.html">简介</a></li><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link current" href="../table-of-contents/../../guides.html">手册</a></li><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link " href="../table-of-contents/../../reference-manual/index.html">参考</a></li><li class="docsite-nav-tab-container"><a class="docsite-nav-tab-link " href="../table-of-contents/../../faqs/index.html">帮助</a></li>
            </ul>
          </div>

        </div>
      </div>
    </div>
  </div><!-- block navbar end -->
<!-- block main content -->
<div class="main-container container">
  <div class="row"><div class="col-md-2">
      <div id="sidebar" class="bs-sidenav scrollable-y-outside" role="complementary">
<!-- theme_manual: developer-manual -->
<!-- theme_manual_highlight: guides -->
<!-- sidebar_title_link: ../table-of-contents/../../guides.html -->

  <div role="note" aria-label="manuals links"><h3><a href="../table-of-contents/../../guides.html">Guides</a></h3>

    <ul class="this-page-menu">
      <li class="toctree-l1"><a href="../table-of-contents/../../user-guide/index.html" rel="nofollow">用户手册</a>
      </li>
      <li class="toctree-l1"><b><a href="../table-of-contents/../../developer-manual/index.html" rel="nofollow">开发手册</a></b>
      <nav class="pagenav">
      <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../index.html"> 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../getting-started/index.html"> 入门指南</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../getting-started/sandbox/index.html">CDAP Sandbox</a><ul>
<li class="toctree-l3"><a class="reference internal" href="../getting-started/sandbox/zip.html">二进制 Zip 文件</a></li>
<li class="toctree-l3"><a class="reference internal" href="../getting-started/sandbox/zip.html#cdap-sandbox">启动和停止 CDAP Sandbox</a></li>
<li class="toctree-l3"><a class="reference internal" href="../getting-started/sandbox/virtual-machine.html">虚拟机镜像</a></li>
<li class="toctree-l3"><a class="reference internal" href="../getting-started/sandbox/docker.html">Docker 镜像</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../getting-started/quick-start.html">快速入门</a></li>
<li class="toctree-l2"><a class="reference internal" href="../getting-started/dev-env.html">搭建开发环境</a></li>
<li class="toctree-l2"><a class="reference internal" href="../getting-started/start-stop-cdap.html">启动和停止 CDAP</a></li>
<li class="toctree-l2"><a class="reference internal" href="../getting-started/building-apps.html">构建并运行应用</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../overview/index.html"> 概述</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../overview/anatomy.html"> 大数据应用剖析</a></li>
<li class="toctree-l2"><a class="reference internal" href="../overview/modes.html"> 模式和组件</a></li>
<li class="toctree-l2"><a class="reference internal" href="../overview/abstractions.html"> 核心概念</a></li>
<li class="toctree-l2"><a class="reference internal" href="../overview/interfaces.html"> 编程接口</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../building-blocks/index.html"> 抽象概念</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../building-blocks/core.html"> Core Abstractions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../building-blocks/applications.html"> Applications</a></li>
<li class="toctree-l2"><a class="reference internal" href="../building-blocks/datasets/index.html"> Datasets</a><ul>
<li class="toctree-l3"><a class="reference internal" href="../building-blocks/datasets/overview.html"> Overview</a></li>
<li class="toctree-l3"><a class="reference internal" href="../building-blocks/datasets/table.html"> Table API</a></li>
<li class="toctree-l3"><a class="reference internal" href="../building-blocks/datasets/fileset.html"> FileSets</a></li>
<li class="toctree-l3"><a class="reference internal" href="../building-blocks/datasets/partitioned-fileset.html"> Partitioned FileSets</a></li>
<li class="toctree-l3"><a class="reference internal" href="../building-blocks/datasets/time-partitioned-fileset.html"> TimePartitioned FileSets</a></li>
<li class="toctree-l3"><a class="reference internal" href="../building-blocks/datasets/system-custom.html"> System and Custom Datasets</a></li>
<li class="toctree-l3"><a class="reference internal" href="../building-blocks/datasets/permissions.html"> Dataset Permissions</a></li>
<li class="toctree-l3"><a class="reference internal" href="../building-blocks/datasets/cube.html"> Cube Dataset</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../building-blocks/mapreduce-programs.html"> MapReduce Programs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../building-blocks/plugins.html"> Plugins</a></li>
<li class="toctree-l2"><a class="reference internal" href="../building-blocks/schedules.html"> Schedules</a></li>
<li class="toctree-l2"><a class="reference internal" href="../building-blocks/secure-keys.html"> Secure Keys</a></li>
<li class="toctree-l2"><a class="reference internal" href="../building-blocks/services.html"> Services</a></li>
<li class="toctree-l2"><a class="reference internal" href="../building-blocks/spark-programs.html"> Spark Programs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../building-blocks/workers.html"> Workers</a></li>
<li class="toctree-l2"><a class="reference internal" href="../building-blocks/workflows.html"> Workflows</a></li>
<li class="toctree-l2"><a class="reference internal" href="../building-blocks/artifacts.html"> Artifacts</a></li>
<li class="toctree-l2"><a class="reference internal" href="../building-blocks/program-lifecycle.html"> Program Lifecycle</a></li>
<li class="toctree-l2"><a class="reference internal" href="../building-blocks/namespaces.html"> Namespaces</a></li>
<li class="toctree-l2"><a class="reference internal" href="../building-blocks/transaction-system.html"> Transaction System</a></li>
<li class="toctree-l2"><a class="reference internal" href="../building-blocks/transactional-messaging-system.html"> Transactional Messaging System</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../metadata/index.html"> 元数据</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../metadata/system-metadata.html"> System Metadata</a></li>
<li class="toctree-l2"><a class="reference internal" href="../metadata/discovery-lineage.html"> Discovery and Lineage</a></li>
<li class="toctree-l2"><a class="reference internal" href="../metadata/field-lineage.html"> Field Level Lineage</a></li>
<li class="toctree-l2"><a class="reference internal" href="../metadata/audit-logging.html"> Audit Logging</a></li>
<li class="toctree-l2"><a class="reference internal" href="../metadata/metadata-ui.html"> CDAP Metadata UI</a></li>
<li class="toctree-l2"><a class="reference internal" href="../metadata/programmatic-metadata.html"> Accessing metadata programmatically</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../pipelines/index.html"> 数据流管道</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../pipelines/concepts-design.html"> Concepts and Design</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pipelines/getting-started.html"> Getting Started</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pipelines/studio.html"> CDAP Studio</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pipelines/creating-pipelines.html"> Creating Pipelines</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pipelines/running-pipelines.html"> Running Pipelines</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pipelines/plugin-management.html"> Plugin Management</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pipelines/plugins/index.html"> Plugin Reference</a><ul>
<li class="toctree-l3"><a class="reference internal" href="../pipelines/plugins/actions/index.html"> Action Plugins</a><ul class="simple">
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../pipelines/plugins/sources/index.html"> Source Plugins</a><ul class="simple">
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../pipelines/plugins/transforms/index.html"> Transform Plugins</a><ul class="simple">
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../pipelines/plugins/analytics/index.html"> Analytic Plugins</a><ul class="simple">
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../pipelines/plugins/sinks/index.html"> Sink Plugins</a><ul class="simple">
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../pipelines/plugins/shared-plugins/index.html"> Shared Plugins</a><ul>
<li class="toctree-l4"><a class="reference internal" href="../pipelines/plugins/shared-plugins/core.html">CoreValidator</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../pipelines/plugins/post-run-plugins/index.html"> Post-run Plugins</a><ul class="simple">
</ul>
</li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../pipelines/developing-pipelines.html"> Developing Pipelines</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pipelines/developing-plugins/index.html"> Developing Plugins</a><ul>
<li class="toctree-l3"><a class="reference internal" href="../pipelines/developing-plugins/plugin-basics.html">Plugin Basics</a></li>
<li class="toctree-l3"><a class="reference internal" href="../pipelines/developing-plugins/creating-a-plugin.html">Creating a Plugin</a></li>
<li class="toctree-l3"><a class="reference internal" href="../pipelines/developing-plugins/presentation-plugins.html">Plugin Presentation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../pipelines/developing-plugins/testing-plugins.html">Testing Plugins</a></li>
<li class="toctree-l3"><a class="reference internal" href="../pipelines/developing-plugins/packaging-plugins.html">Packaging Plugins</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../pipelines/how-cdap-pipelines-work.html"> How CDAP Pipelines Work</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../cloud-runtimes/index.html"> 云平台运行</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../cloud-runtimes/concepts/index.html"> Concepts</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cloud-runtimes/provisioners/index.html"> Provisioners</a><ul>
<li class="toctree-l3"><a class="reference internal" href="../cloud-runtimes/provisioners/gcp-dataproc.html">Google Dataproc</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cloud-runtimes/provisioners/aws-emr.html">Amazon Elastic MapReduce</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cloud-runtimes/provisioners/remote-hadoop.html">Remote Hadoop</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../cloud-runtimes/profiles/index.html"> Profiles</a><ul>
<li class="toctree-l3"><a class="reference internal" href="../cloud-runtimes/profiles/creating-profiles.html">Creating Profiles</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cloud-runtimes/profiles/assigning-profiles.html">Assigning Profiles</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cloud-runtimes/profiles/admin-controls.html">Admin Controls</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../cloud-runtimes/example/index.html"> Example</a></li>
</ul>
</li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html"> 安全</a><ul class="current">
<li class="toctree-l2 current"><a class="current reference internal" href="#">Client Authentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="cdap-authentication-clients-java.html">CDAP Authentication Client for Java</a></li>
<li class="toctree-l2"><a class="reference internal" href="cdap-authentication-clients-python.html">CDAP Authentication Client for Python</a></li>
<li class="toctree-l2"><a class="reference internal" href="custom-authentication.html">Custom Authentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="authorization-extensions.html">Authorization Extensions</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../testing/index.html"> 测试和调试</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../testing/testing.html"> Testing a CDAP Application</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/debugging.html"> Debugging</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/troubleshooting.html"> Troubleshooting</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../ingesting-tools/index.html"> 数据融合</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../ingesting-tools/cdap-stream-clients-java.html">CDAP Stream Client for Java</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ingesting-tools/cdap-stream-clients-python.html">CDAP Stream Client for Python</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ingesting-tools/cdap-stream-clients-ruby.html">CDAP Stream Client for Ruby</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ingesting-tools/cdap-flume.html">CDAP Flume</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../data-exploration/index.html"> 数据探索</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../data-exploration/filesets.html"> Fileset Exploration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../data-exploration/tables.html"> Table Exploration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../data-exploration/object-mapped-tables.html"> ObjectMappedTable Exploration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../data-exploration/custom-datasets.html"> Custom Dataset Exploration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../data-exploration/hive-execution-engines.html"> Hive Execution Engines</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../advanced/index.html"> 高级主题</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../advanced/application-logback.html"> Application Logback</a></li>
<li class="toctree-l2"><a class="reference internal" href="../advanced/best-practices.html"> Best Practices</a></li>
<li class="toctree-l2"><a class="reference internal" href="../advanced/class-loading.html"> Class Loading</a></li>
<li class="toctree-l2"><a class="reference internal" href="../advanced/configuring-resources.html"> Configuring Program Resources</a></li>
<li class="toctree-l2"><a class="reference internal" href="../advanced/program-retry-policies.html"> Program Retry Policies</a></li>
</ul>
</li>
</ul>
</nav>
      </li>
      <li class="toctree-l1"><a href="../table-of-contents/../../admin-manual/index.html" rel="nofollow">管理手册</a>
      </li>
      <li class="toctree-l1"><a href="../table-of-contents/../../integrations/index.html" rel="nofollow">集成手册</a>
      </li>
      <li class="toctree-l1"><a href="../table-of-contents/../../examples-manual/index.html" rel="nofollow">最佳实践</a>
      </li>
    </ul>
  </div></div>
    </div><div class="col-md-8 content" id="main-content">
    
  <div class="section" id="client-authentication">
<span id="id1"></span><h1>Client Authentication<a class="headerlink" href="#client-authentication" title="Permalink to this headline">🔗</a></h1>
<p>Client authentication in CDAP consists of two components:</p>
<ul class="simple">
<li><strong>Authentication Server:</strong> Clients must first authenticate with the authentication server using valid credentials.
The authentication server integrates with different authentication
backends (LDAP, JASPI plugins) using a plugin API. Once authenticated, clients are issued an access token
representing their identity.</li>
<li><strong>CDAP Router:</strong> the CDAP router serves as the secured host in the perimeter security
model.  All client calls to the cluster go through the router, and must present a valid access
token when security is enabled.</li>
</ul>
<div class="section" id="cdap-authentication-process">
<h2>CDAP Authentication Process<a class="headerlink" href="#cdap-authentication-process" title="Permalink to this headline">🔗</a></h2>
<p>CDAP provides support for authenticating clients using OAuth 2 Bearer tokens, which are issued
by the CDAP authentication server.  The authentication server provides the integration point
for all external authentication systems.  Clients authenticate with the authentication server as
follows:</p>
<a class="reference internal image-reference" href="../_images/auth_flow_simple.png"><img alt="../_images/auth_flow_simple.png" class="align-center" src="../_images/auth_flow_simple.png" style="width: 7in;" /></a>
<ol class="arabic simple">
<li>Client initiates authentication, supplying credentials.</li>
<li>Authentication server validates supplied credentials against an external identity service,
according to configuration (LDAP, Active Directory, custom).<ol class="loweralpha">
<li>If validation succeeds, the authentication server returns an Access Token to the client.</li>
<li>If validation fails, the authentication server returns a failure message, at which point
the client can retry.</li>
</ol>
</li>
<li>The client stores the resulting Access Token and supplies it in subsequent requests.</li>
<li>CDAP processes validate the supplied Access Token on each request.<ol class="loweralpha">
<li>If validation succeeds, processing continues to authorization.</li>
<li>If the submitted token is invalid, an “invalid token” error is returned.</li>
<li>If the submitted token is expired, an “expired token” error is returned.  In this case, the
client should restart authorization from step #1.</li>
</ol>
</li>
</ol>
</div>
<div class="section" id="supported-authentication-mechanisms">
<h2>Supported Authentication Mechanisms<a class="headerlink" href="#supported-authentication-mechanisms" title="Permalink to this headline">🔗</a></h2>
<p>CDAP provides several ways to authenticate a client’s identity:</p>
<ul class="simple">
<li><span class="xref std std-ref">installation-basic-authentication</span></li>
<li><span class="xref std std-ref">installation-ldap-authentication</span></li>
<li><span class="xref std std-ref">installation-jaspi-authentication</span></li>
<li><a class="reference internal" href="custom-authentication.html#developer-custom-authentication"><span class="std std-ref">Custom Authentication</span></a></li>
</ul>
<p>To configure security, see the 管理手册’s <span class="xref std std-ref">configuration-security</span>.</p>
</div>
<div class="section" id="obtaining-an-access-token">
<h2>Obtaining an Access Token<a class="headerlink" href="#obtaining-an-access-token" title="Permalink to this headline">🔗</a></h2>
<p>Obtain a new access token by calling:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="n">GET</span> <span class="o">&lt;</span><span class="n">base</span><span class="o">-</span><span class="n">auth</span><span class="o">-</span><span class="n">url</span><span class="o">&gt;/</span><span class="n">token</span>
</pre></div>
</div>
<p>The <code class="docutils literal notranslate"><span class="pre">&lt;base-auth-url&gt;</span></code> can be found either by making a request and retrieving the
authentication URI (<code class="docutils literal notranslate"><span class="pre">auth_uri</span></code>) in the response body or by knowing the configuration of
the CDAP server for the <code class="docutils literal notranslate"><span class="pre">security.auth.server.announce.address</span></code> and port, as described in the
<span class="xref std std-ref">管理手册: Security</span>.</p>
<p>The required header and request parameters may vary according to the external
authentication mechanism that has been configured.  For username and password based
mechanisms, the <code class="docutils literal notranslate"><span class="pre">Authorization</span></code> header may be used:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="nl">Authorization:</span> <span class="n">Basic</span> <span class="n">czZCaGRSa3F0MzpnWDFmQmF0M2JW</span>
</pre></div>
</div>
<div class="section" id="http-responses">
<h3>HTTP Responses<a class="headerlink" href="#http-responses" title="Permalink to this headline">🔗</a></h3>
<table border="1" class="docutils">
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Status Codes</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">200</span> <span class="pre">OK</span></code></td>
<td>Authentication was successful and an access token will be returned</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">401</span> <span class="pre">Unauthorized</span></code></td>
<td>Authentication failed</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="success-response-fields">
<h3>Success Response Fields<a class="headerlink" href="#success-response-fields" title="Permalink to this headline">🔗</a></h3>
<table border="1" class="docutils">
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Response Fields</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">access_token</span></code></td>
<td>The Access Token issued for the client.  The serialized token contents are base-64 encoded
for safe transport over HTTP.</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">token_type</span></code></td>
<td>In order to conform with the OAuth 2.0 Bearer Token Usage specification (<a class="reference external" href="http://tools.ietf.org/html/rfc6750">RFC 6750</a>), this
value must be “Bearer”.</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">expires_in</span></code></td>
<td>Token validity lifetime in seconds.</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="example">
<h3>Example<a class="headerlink" href="#example" title="Permalink to this headline">🔗</a></h3>
<p>Sample request:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="n">GET</span> <span class="o">&lt;</span><span class="n">base</span><span class="o">-</span><span class="n">auth</span><span class="o">-</span><span class="n">url</span><span class="o">&gt;/</span><span class="n">token</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span>
<span class="nl">Host:</span> <span class="n">server</span><span class="p">.</span><span class="na">example</span><span class="p">.</span><span class="na">com</span>
<span class="nl">Authorization:</span> <span class="n">Basic</span> <span class="n">czZCaGRSa3F0MzpnWDFmQmF0M2JW</span>
</pre></div>
</div>
<p>Sample response:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span> <span class="mi">200</span> <span class="n">OK</span>
<span class="n">Content</span><span class="o">-</span><span class="n">Type</span><span class="p">:</span> <span class="n">application</span><span class="o">/</span><span class="n">json</span><span class="p">;</span><span class="n">charset</span><span class="o">=</span><span class="n">UTF</span><span class="o">-</span><span class="mi">8</span>
<span class="n">Cache</span><span class="o">-</span><span class="n">Control</span><span class="p">:</span> <span class="n">no</span><span class="o">-</span><span class="n">store</span>
<span class="nl">Pragma:</span> <span class="n">no</span><span class="o">-</span><span class="n">cache</span>

<span class="p">{</span>
  <span class="s">&quot;access_token&quot;</span><span class="p">:</span><span class="s">&quot;2YotnFZFEjr1zCsicMWpAA&quot;</span><span class="p">,</span>
  <span class="s">&quot;token_type&quot;</span><span class="p">:</span><span class="s">&quot;Bearer&quot;</span><span class="p">,</span>
  <span class="s">&quot;expires_in&quot;</span><span class="p">:</span><span class="mi">3600</span><span class="p">,</span>
<span class="p">}</span>
</pre></div>
</div>
</div>
<div class="section" id="comments">
<h3>Comments<a class="headerlink" href="#comments" title="Permalink to this headline">🔗</a></h3>
<ul class="simple">
<li>Only <code class="docutils literal notranslate"><span class="pre">Bearer</span></code> tokens (<a class="reference external" href="http://tools.ietf.org/html/rfc6750">RFC 6750</a>) are currently supported</li>
</ul>
</div>
</div>
<div class="section" id="authentication-with-restful-endpoints">
<h2>Authentication with RESTful Endpoints<a class="headerlink" href="#authentication-with-restful-endpoints" title="Permalink to this headline">🔗</a></h2>
<p>When security is enabled on a CDAP cluster, only requests with a valid access token will
be allowed by CDAP.  Clients accessing CDAP HTTP RESTful endpoints will first need to
obtain an access token from the authentication server, as described above, which will be
passed to the router daemon on subsequent HTTP requests.</p>
<p>The following request and response descriptions apply to all CDAP HTTP RESTful endpoints:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="n">GET</span> <span class="o">&lt;</span><span class="n">base</span><span class="o">-</span><span class="n">url</span><span class="o">&gt;/&lt;</span><span class="n">resource</span><span class="o">&gt;</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span>
</pre></div>
</div>
<p>The <code class="docutils literal notranslate"><span class="pre">&lt;base-url&gt;</span></code> is typically <code class="docutils literal notranslate"><span class="pre">http://&lt;host&gt;:11015</span></code> or
<code class="docutils literal notranslate"><span class="pre">https://&lt;host&gt;:10443</span></code>, as described in the <span class="xref std std-ref">RESTful API Conventions</span>.</p>
<p>In order to authenticate, all client requests must supply the <code class="docutils literal notranslate"><span class="pre">Authorization</span></code> header:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="nl">Authorization:</span> <span class="n">Bearer</span> <span class="n">wohng8Xae7thahfohshahphaeNeeM5ie</span>
</pre></div>
</div>
<p>For CDAP-issued access tokens, the authentication scheme must always be <code class="docutils literal notranslate"><span class="pre">Bearer</span></code>.</p>
<div class="section" id="id2">
<h3>HTTP Responses<a class="headerlink" href="#id2" title="Permalink to this headline">🔗</a></h3>
<table border="1" class="docutils">
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Status Codes</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">200</span> <span class="pre">OK</span></code></td>
<td>Authentication was successful and an access token will be returned</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">401</span> <span class="pre">Unauthorized</span></code></td>
<td>Authentication failed</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">403</span> <span class="pre">Forbidden</span></code></td>
<td>Authentication succeeded, but access to the requested resource was denied</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="error-response-fields">
<h3>Error Response Fields<a class="headerlink" href="#error-response-fields" title="Permalink to this headline">🔗</a></h3>
<table border="1" class="docutils">
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Response Fields</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">error</span></code></td>
<td>An error code describing the type of failure (see <a class="reference internal" href="#error-code-values">Error Code Values</a>)</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">error_description</span></code></td>
<td>A human readable description of the error that occurred</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">auth_uri</span></code></td>
<td>List of URIs for running authentication servers.  If a client receives a <code class="docutils literal notranslate"><span class="pre">401</span>
<span class="pre">Unauthorized</span></code> response, it can use one of the values from this list to request a new
access token.</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="error-code-values">
<h3>Error Code Values<a class="headerlink" href="#error-code-values" title="Permalink to this headline">🔗</a></h3>
<table border="1" class="docutils">
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Response Fields</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">invalid_request</span></code></td>
<td>The request is missing a required parameter or is otherwise malformed</td>
</tr>
<tr class="row-odd"><td><code class="docutils literal notranslate"><span class="pre">invalid_token</span></code></td>
<td>The supplied access token is expired, malformed, or otherwise invalid.  The client may
request a new access token from the authorization server and try the call again.</td>
</tr>
<tr class="row-even"><td><code class="docutils literal notranslate"><span class="pre">insufficient_scope</span></code></td>
<td>The supplied access token was valid, but the authenticated identity failed authorization
for the requested resource</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="id3">
<h3>Example<a class="headerlink" href="#id3" title="Permalink to this headline">🔗</a></h3>
<p>A sample request and responses for different error conditions are shown below.  Header values are
wrapped for display purposes.</p>
<p>Request:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="n">GET</span> <span class="o">&lt;</span><span class="n">base</span><span class="o">-</span><span class="n">url</span><span class="o">&gt;/</span><span class="n">resource</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span>
<span class="nl">Host:</span> <span class="n">server</span><span class="p">.</span><span class="na">example</span><span class="p">.</span><span class="na">com</span>
<span class="nl">Authorization:</span> <span class="n">Bearer</span> <span class="n">wohng8Xae7thahfohshahphaeNeeM5ie</span>
</pre></div>
</div>
<p>Missing token:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span> <span class="mi">401</span> <span class="n">Unauthorized</span>
<span class="n">WWW</span><span class="o">-</span><span class="n">Authenticate</span><span class="p">:</span> <span class="n">Bearer</span> <span class="n">realm</span><span class="o">=</span><span class="s">&quot;example&quot;</span>

<span class="p">{</span>
  <span class="s">&quot;auth_uri&quot;</span><span class="p">:</span> <span class="o">[</span><span class="s">&quot;https://server.example.com:10010/token&quot;</span><span class="o">]</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Invalid or expired token:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span> <span class="mi">401</span> <span class="n">Unauthorized</span>
<span class="n">WWW</span><span class="o">-</span><span class="n">Authenticate</span><span class="p">:</span> <span class="n">Bearer</span> <span class="n">realm</span><span class="o">=</span><span class="s">&quot;example&quot;</span><span class="p">,</span>
                    <span class="n">error</span><span class="o">=</span><span class="s">&quot;invalid_token&quot;</span><span class="p">,</span>
                    <span class="n">error_description</span><span class="o">=</span><span class="s">&quot;The access token expired&quot;</span>

<span class="p">{</span>
  <span class="s">&quot;error&quot;</span><span class="p">:</span> <span class="s">&quot;invalid_token&quot;</span><span class="p">,</span>
  <span class="s">&quot;error_description&quot;</span><span class="p">:</span> <span class="s">&quot;The access token expired&quot;</span><span class="p">,</span>
  <span class="s">&quot;auth_uri&quot;</span><span class="p">:</span> <span class="o">[</span><span class="s">&quot;https://server.example.com:10010/token&quot;</span><span class="o">]</span>
<span class="p">}</span>
</pre></div>
</div>
</div>
<div class="section" id="id4">
<h3>Comments<a class="headerlink" href="#id4" title="Permalink to this headline">🔗</a></h3>
<ul class="simple">
<li>The <code class="docutils literal notranslate"><span class="pre">auth_uri</span></code> value in the error responses indicates where the authentication server(s) are
running, allowing clients to discover instances from which they can obtain access tokens.</li>
</ul>
</div>
</div>
</div>

</div>
    <div class="col-md-2">
      <div id="right-sidebar" class="bs-sidenav scrollable-y" role="complementary">
        <div id="localtoc-scrollspy">
        </div>
      </div>
    </div></div>
</div>
<!-- block main content end -->
<!-- block footer -->
<footer class="footer">
      <div class="container">
        <div class="row">
          <div class="col-md-2 footer-left"><a title="Security" href="index.html" />Previous</a></div>
          <div class="col-md-8 footer-center"><a class="footer-tab-link" href="../table-of-contents/../../reference-manual/licenses/index.html">Copyright</a> &copy; 2014-2020 Cask Data, Inc.&bull; <a class="footer-tab-link" href="//docs.cask.co/cdap/6.1.1/cdap-docs-6.1.1-web.zip" rel="nofollow">Download</a> an archive or
<a class="footer-tab-link" href="//docs.cask.co/cdap">switch the version</a> of the documentation
          </div>
          <div class="col-md-2 footer-right"><a title="CDAP Authentication Client for Java" href="cdap-authentication-clients-java.html" />Next</a></div>
        </div>
      </div>
    </footer>
<!-- block footer end -->
<script type="text/javascript" src="../_static/bootstrap-3.3.6/js/bootstrap.min.js"></script><script type="text/javascript" src="../_static/js/bootstrap-sphinx.js"></script><script type="text/javascript" src="../_static/js/abixTreeList-2.js"></script><script type="text/javascript" src="../_static/js/cdap-dynamicscrollspy-4.js"></script><script type="text/javascript" src="../_static/js/cdap-version-menu.js"></script><script type="text/javascript" src="../_static/js/copy-to-clipboard.js"></script><script type="text/javascript" src="../_static/js/jquery.mousewheel.min.js"></script><script type="text/javascript" src="../_static/js/jquery.mCustomScrollbar.js"></script><script type="text/javascript" src="../_static/js/js.cookie.js"></script><script type="text/javascript" src="../_static/js/tabbed-parsed-literal-0.2.js"></script><script type="text/javascript" src="../_static/js/cdap-onload-javascript.js"></script><script type="text/javascript" src="../_static/js/cdap-version-menu.js"></script>
    <script src="https://cdap.gitee.io/docs/cdap/json-versions.js"/></script>
  </body>
</html>